Making better passwords

I have some theories I subscribe to in regards to password management and what kinds of patterns make good passwords. I found a news article that sums up those theories pretty well.  https://calvinayre.com/2018/04/16/business/peter-bassill-create-password-can-stand-hacking-attacks-video/

The TLDR verison.

• Use memorable english words
• Chain them together using a repeated special character
• Use at least 3 individual words per password
• Do not share passwords between sites, especially for important ones
• Rotate them every 90 days (this seems a little on the strict side for a personal password but pretty reasonable for a shared password)

Steps for a More Private Internet Experience

More and more privacy online is harder and harder to achieve. That being said, there are more tools available today to facilitate more private browsing experiences. Ad blockers, cryptocurrency, VPNs, and now https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/ . This kind of thing won’t fix net neutrality but it can help in a lot of other situations.

Yet Another Payment Info Breach

The high end clothing retailers Saks, and Lord and Taylor recently had a bunch of credit card payment information stolen.  https://www.nbcnews.com/news/us-news/data-breach-saks-lord-taylor-compromises-customer-payment-data-n861856

I don’t hold out a lot of hope for credit cards as they are currently implemented. The info is leaked too often and once the card info is leaked, they have to be destroyed and the banks or merchants or both ending taking a hit on the chargebacks. If banks and merchants weren’t absorbing those charges I don’t think credit cards would continue being used nearly as much as they are… and commerce would suffer until a new way of transacting was implemented.

Big Arrest of Modern Day Bank Robber

The European police have arrested the man suspected of being the bank robbing mastermind behind several high profile cyber heists. https://www.silicon.co.uk/security/cyberwar/cyber-banking-arrested-spain-230555

This is good news if you are a bank worried about people coming after your digital systems. This does bring up some interesting ideas though. Bank robbery is very rarely done in person like it was in the early 20th century. Modern day bank robbers are exploiting digital infrastructure and systems to pull off hauls of money at very massive scales (you couldn’t fit all that cash in a whole fleet of getaway cars).

More Data Leaks, More Problems

The latest company to be found having ” leaked” user data is Facebook. https://www.toptechnews.com/article/index.php?story_id=10300CJLC3G

Some people are upset by it. Some less so. There were hopefully no credit cards leaked in this one but there was a fair amount of personal information. From the site, “Cambridge Analytica harvested profile information from more than 50 million Facebook users without their permission, the Associated Press reported”. Apparently a Facebook developer harvested all that data and “leaked” it to Cambridge Analytica.

Obviously the best way to protect ourselves against these kinds of things is to not have that information out on Facebook. Do not put anything online that you wouldn’t want your Mom or your next door neighbor to know about as the old saying goes. The scale of it is large. Some people apparently thought they had a bit more privacy on the website than they actually did. Privacy policies apparently don’t mean much if the queries were being made internally. I think there is a similar problem over at the NSA that a guy called Snowden talked about a  few years ago. It will be interesting to see if anything comes of this.

Perfect Security is Impossible but Good Security is Not

It can be easy to get demoralized by the overwhelming task of protecting ourselves from the many pitfalls and monsters in cyberspace. There are so many vectors that an attacker could come from. There are so many things that could go wrong that it can feel that no matter what we do, we are still going to be at risk. In some sense that intuition is correct. That is more theoretical though. In practice taking steps to protect yourself and your data is in important and well worth the effort. https://www.howtogeek.com/340814/perfect-computer-security-is-a-myth-but-its-still-important/
Backup your files.
Update your passwords.
Check your bank statements for fraudulent activity.
Stay safe out there

Pwned password checker… results may surprise

I recently came across this cool utility to check if a password is a password that has been used in known data breaches.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
This is useful as it gives a much more insight into what is a truly unique password. Most password usage is obscured and hidden (as it should be).  It hopefully tools like this can be used to improve password quality and knowledge both in practice and in theory.

I tried some of my passwords… results may surprise….

The Control of Devices and Their Data is Important

https://www.theverge.com/2018/2/14/17011246/huawei-phones-safe-us-intelligence-chief-fears
It is obvious by now that control of data is important. Nation states are notoriously slow and often ill informed when it comes to issues over technology but they have latched on to this issue in the last couple years. It looks like the next phase of the technological cold war is going to be over where devices and data centers send data geographically. This has some serious implications for the future of data movement across the globe.
As cyber exploits and attacks have proliferated in recent history there is general mistrust around technology as a whole from governments (maybe not unwisely). The U.S intelligence community is now openly criticising devices being made my Chinese manufacturers. Devices being made in China is hardly a new thing. It is going to be a difficult path to follow if the U.S intelligence community is serious about this being an issue. Only time will tell.

Be Careful When Dealing With Cryptocurrency Exchanges

As someone who has been interested in cryptocurrency for a long time, it is important to remember that most of the time, when things are lost, it is because of poor security on the exchanges. This https://techcrunch.com/2018/02/12/bitgrail-hack-nano/  is just the latest example. It is important to be careful when dealing with these things. If you have assets like that, it is important to keep control of them on your own machines.

Best Practices for User Account Control

As a web developer, a common task undertaken for nearly any application, is a implementing user account controls. For all of those apps though there are different some fairly universal practices for keeping the accounts secure.

https://cloudplatform.googleblog.com/2018/01/12-best-practices-for-user-account.html?m=1

1.  Hash those passwords

2.  Allow for third-party identity providers if possible

3.  Separate the concept of user identity and user account

4. Allow multiple identities to link to a single user account

5. Don’t block long or complex passwords

6.  Don’t impose unreasonable rules for usernames

7. Allow users to change their username

8. Let your users delete their accounts

9.  Make a conscious decision on session length

10. Use 2-Step Verification

11.  Make user IDs case insensitive

12.  Build a secure auth system